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WHAT IS CLAIMED IS: 

1. A method for inserting a new access rule into an access control list, the list 
configured to contain independent rule blocks having ordered access rules, the method 
comprising: 

if the list is empty, creating a new independent rule block and inserting the new 
access rule therein; 

if the list is not empty, creating from the list a set of mapped independent rule 

blocks; 

for each block in the set, attempting to determine a position for the new access 

rule; 

removing from the set those blocks for which a position cannot be determined; 

and 

merging the blocks in the set to form a new independent rule block and inserting 
the new access rule therein. 

2. The method of claim 1 wherein creating from the list a set of mapped 
independent rule blocks comprises selecting all blocks in the list having at least one rule 
that is not disjoint with the new access rule. 

3. The method of claim 1 wherein attempting to determine a position for the 
new access rule comprises: 

comparing each existing rule in the rule block to the new access rule; and 
if all existing rules have been compared against the new access rule and no 

determination has been made, determining a position for the new access rule that is at 

the end of the block. 

4. The method of claim 3 wherein comparing each existing rule in the rule 
block to the new access rule comprises: 

if the two rules are disjoint, continuing to the next comparison; 
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if the new access rule is a subset of the existing rule and the two rules perform 
the same action, determining that there is no position in the block for the new access 
rule; 

if the new access rule is a subset of the existing rule and the two rules do not 
perform the same action, resolving the conflict between the new access rule and the 
existing rule; 

if the existing rule is a subset of the new access rule and the two rules perform 
the same action, determining a position for the new access rule that is in the place of the 
existing rule and removing the existing rule from the block; 

if the existing rule is a subset of the new access rule and the two rules do not 
perform the same action, resolving the conflict; 

if the new access rule and the existing rule are not disjoint, neither is a subset of 
the other, and the two rules have the same action, continuing to the next comparison; 
and 

if the new access rule and the existing rule are not disjoint, neither is a subset of 
the other, and the two rules do not have the same action, resolving the conflict. 

5. The method of claim 4 wherein resolving the conflict if the new access rule 
is a subset of the existing rule and the two rules do not perform the same action further 
comprises: 

if the new access rule takes priority, determining a position for the new access 
rule that is immediately before the existing rule; and 

if the existing rule takes priority, removing the block from the set of mapped 
independent rule blocks. 

6. The method of claim 4 wherein resolving the conflict if the existing rule is 
a subset of the new access rule and the two rules do not perform the same action further 
comprises: 

if the new access rule takes priority, determining a position for the new access 



-12- 



Attorney Docket No.: 26530.94 (IDR-685) 
Customer No. 27683 

rule that is in the place of the existing rule and removing the existing rule from the 
block; and 

if the existing rule takes priority, designating a position in the block for the new 
access rule that is immediately behind the existing rule. 

7. The method of claim 4 wherein resolving the conflict if the new access rule 
and the existing rule are not disjoint, neither is a subset of the other, and the two rules 
do not have the same action further comprises: 

if the new access rule takes priority, placing the new access rule in a position 
occupied by the existing rule; and 

if the existing rule takes priority, continuing to the next comparison. 

8. The method of claim 4 wherein resolving the conflict comprises 
establishing a priority based on predefined rules. 

9. The method of claim 4 wherein resolving the conflict comprises 
establishing a priority based on user input. 

10. The method of claim 1 wherein merging the blocks in the set to form a 
new independent rule block and inserting the new access rule therein comprises: 

placing all rules from every block in the set which are positioned ahead of the 
new access rule in front of the new access rule in the new block; and 

placing all rules from every block in the set which are positioned after the new 
access rule behind the new access rule in the new block. 

11. The method of claim 1 further comprising removing an existing rule, 
wherein the removing includes: 

searching for the existing rule to be removed based on an identification number 
associated with the existing rule; and 
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removing the rule. 

12. A computer system comprising: 

a rule base containing an access control list configured to hold independent rule 
blocks having ordered access rules; 

a rule enforcing engine for enforcing the rules in the access control list; and 
a rule insertion engine configured to execute instructions for inserting a new 
access rule into the access control list, the instructions comprising: 

if the access control list is empty, creating a new independent rule block 
and inserting the new access rule therein; and 

if the access control list is not empty, creating from the access control list a 
set of mapped independent rule blocks; 

if the set is empty, creating a new independent rule block and inserting 
the new access rule therein; and 

merging the blocks in a subset of the set comprising those blocks for 
which a position for the new access rule can be determined, and inserting the new 
access rule therein. 

13. The system of claim 12 wherein creating a set of mapped independent rule 
blocks comprises evaluating each independent rule block in the access control list and 
determining whether there is an existing access rule in the independent rule block that 
is not disjoint with the new access rule. 

14. The system of claim 12 wherein determining a position for the new access 
rule comprises: 

comparing each existing rule in the independent rule block to the new access 
rule; and 

if all existing rules have been compared against the new access rule and no 
position has been determined, designating a position for the new access rule that is at 
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15. The system of claim 14 wherein comparing each existing rule in the 
independent rule block to the new access rule comprises: 

if the two rules are disjoint, continuing to the next comparison; 

if the new access rule is a subset of the existing rule and the two rules perform 
the same action, determining that there is no position in the block for the new access 
rule; 

if the new access rule is a subset of the existing rule and the two rules do not 
perform the same action, determining a priority between the new access rule and the 
existing rule; 

if the existing rule is a subset of the new access rule and the two rules perform 
the same action, determining a position for the new access rule that is in the place of the 
existing rule and removing the existing rule from the block; 

if the existing rule is a subset of the new access rule and the two rules do not 
perform the same action, determining a priority between the existing rule and the new 
access rule; 

if the new access rule and the existing rule are not disjoint, neither is a subset of 
the other, and both have the same action, continuing to the next comparison; and 

if the new access rule and the existing rule are not disjoint, neither is a subset of 
the other, and the two rules do not have the same action, determining a priority 
between the existing rule and the new access rule. 

16. The system of claim 15 wherein determining a priority comprises the use 
of predetermined rules. 

17. The system of claim 15 wherein determining a priority comprises 
accepting user input to determine priority. 
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18. The system of claim 12 wherein removing the rule comprises searching for 
the rule to be removed based on an identification number associated with the rule and 
removing the rule. 

19. The system of claim 12 wherein merging the blocks in a subset comprises: 
placing all rules from every block in the subset which have a position ahead of 

the rule being inserted in front of the new access rule in the new block; and 

placing all rules from every block in the subset which have a position after the 
new access rule being inserted behind the new access rule in the new block. 

20. A computer readable medium comprising computer executable 
instructions for inserting a new access rule into an access control list containing 
independent rule blocks having ordered access rules, the instructions comprising: 

creating a new independent rule block and inserting the rule therein if the list is 
empty; 

creating from the list a set of mapped independent rule blocks if the list is not 
empty; 

determining a position for the new access rule for each block in the set and 
removing from the set those blocks for which a position cannot be determined; and 

merging the blocks in the set to form a new independent rule block and inserting 
the rule therein. 

21. The computer readable medium of claim 20 wherein creating the set of 
mapped independent rule blocks includes selecting all blocks in the list having at least 
one rule that is not disjoint with the new access rule. 

22. The computer readable medium of claim 20 wherein determining a 
position for the new access rule includes comparing each existing rule in the rule block 
to the new access rule and, for each comparison: 
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if the two rules are disjoint, continuing to the next comparison; 

if the new access rule is a subset of the existing rule and the two rules perform 
the same action, determining that there is no position in the block for the new access 
rule; 

if the new access rule is a subset of the existing rule and the two rules do not 
perform the same action, resolving the conflict between the new access rule and the 
existing rule, and if the new access rule takes priority, assigning a position of the 
existing rule to the new access rule, and if the existing rule takes priority, not assigning 
a position to the new access rule; 

if the existing rule is a subset of the new access rule and the two rules perform 
the same action, assigning a position of the existing rule to the new access rule; 

if the existing rule is a subset of the new access rule and the two rules do not 
perform the same action, determining which of the new access and existing rules has 
priority and, if the new access rule takes priority, assigning a position of the existing 
rule to the new access rule, and if the existing rule takes priority, assigning a position in 
the block for the new access rule that is immediately behind the existing rule; 

if the new access rule and the existing rule are not disjoint, neither is a subset of 
the other, and the two rules do not have the same action, determining which of the new 
access and existing rules has priority and, if the new access rule takes priority, assigning 
a position of the existing rule to the new access rule; and 

if all existing rules have been compared against the new access rule and no 
determination has been made, determining a position for the new access rule that is at 
the end of the block. 

23. The computer readable medium of claim 21 wherein determining which of 
the new access and existing rules has priority is based at least partly on user determined 
criteria. 

24. The computer readable medium of claim 20 wherein merging the blocks in 
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the set to form a new independent rule block and inserting the rule therein comprises: 
placing all rules from every block in the set which have a position ahead of the 

rule being inserted in front of the new access rule in the new block; and 

placing all rules from every set which placed after the rule being inserted behind 

the new access rule in the new block. 

25. The computer readable medium of claim 20 wherein removing the rule 
comprises searching for the rule in the list based on a unique identification number and 
removing the rule. 
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